UK launches regulatory investigation into Equifax data breach

On Tuesday, October 24, the UK’s Financial Conduct Authority (FCA) began a formal investigation into the Equifax data breach that compromised the personal data of approximately 145.5 million people, the majority of whom were in the US. The Atlanta-based credit reporting company has become an international issue, as hackers not only compromised US personal data but also the consumer information of UK citizens. The Information Commissioner’s Office is also investigating the breach.

Reuters reported that on October 10, Equifax disclosed that the cyberattack also affected 15.2 million accounts in the UK, including the sensitive data of about 700,000 individuals. Equifax stated that 14.5 million of the breached records were from 2011 to 2016 and did not contain information that would put UK consumers at risk.

It will be interesting to see how this plays out, as the data breach happened in the US beyond the oversight of the U.K.’s data protection authorities.

Equifax has identified four groups of affected UK customers whose information was stolen:

  • 637,000 phone numbers
  • 29,000 driving license numbers
  • 15,000 individual Equifax membership details, such as usernames and passwords
  • 12,000 email addresses

Equifax is cooperating with the FCA and other regulators. Equifax will notify the remaining 693,665 affected UK consumers by mail, and offer them a number of its own and third-party risk-mitigation products free of charge.

In a statement, Equifax asserted it welcomes the investigation: “Equifax Ltd is already working closely with the FCA and other authorities: we welcome this opportunity to learn the lessons from this criminal cyber-attack in order for all businesses to better protect consumers in the future. Cybercrime is a real and ever-present risk faced by all companies, so it is important that Government, regulators and businesses work together to combat this growing threat. We see today’s announcement as a continuation of that process.”

The Wall Street Journal reported on October 10 that the Equifax data breach also exposed the driver’s license numbers of about 10.9 million Americans.

Protect the personal data that you maintain and prepare for the EU GDPR

The global cybersecurity landscape will change with the General Data Protection Regulation (GDPR). The regulation takes a different and more substantive approach to the issue of jurisdiction. If the data is collected by an organization operating entirely outside the EU, it will be governed by the Regulation, specifically if the data relates to goods or services offered to EU residents or to monitoring their behavior.

Data security plays a prominent role in the GDPR, where organizations are required to “implement appropriate technical and organisational measures” taking into account “the state of the art and the costs of implementation” and “the nature, scope, context, and purposes of the processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.”

Does your organization maintain the data of any citizen outside of the US?  If your organization holds private data from EU nations, you will need to make sure to become GDPR compliant – the enforcement date is May 25, 2018. If you’re interested in learning more about the EU GDPR, IT Governance is offering the Certified EU General Data Protection Regulation Foundation (GDPR) Training Course in Boston, Massachusetts on November 28, 2017. You’ll gain a comprehensive understanding of the GDPR and its legal implications within US borders, including how it will affect your organization’s personal data handling.

IT Governance supports professional development. All attendees who pass the included exam as part of this one-day introductory training course are awarded the EU GDPR Foundation (EU GDPR F) qualification by IBITGQ. It is accredited by the Institute of Information Security Professionals (IISP) and satisfies the IISP Skills Framework requirements at Level 1: A1, A2, A3, A4, A5, A6, A7, B1 and C2.